A Revised Denotational Semantics for the Dataflow Algebra. A. J. Cowling

Transcription

1 Verification and Testing Research Group, Department of Computer Science, University of Sheffield, Regent Court, 211, Portobello Street, Sheffield, S1 4DP, United Kingdom dcs.shef.ac.uk Telephone: Fax: Abstract Previously a version of the abstract syntax for the dataflow algebra has been defined that is based on a simpler and more appropriate model of the underlying semantic domain than the one used in the original definition of the algebra. Also a denotational semantics for the algebra has been presented, as part of the same report, which corresponded to this simplified abstract syntax. This report corrects an error that had been identified in that denotational semantics, by describing a counter-example which illustrates the nature of that, and then defining a new version of the denotational semantics that avoids this error, and also simplifies some aspects of the definition of the semantics. The report then goes on to show that this corrected version of the denotational semantics is complete and consistent with the axioms of the algebra. Key Words and Phrases Formal specifications, dataflow algebra, semantic domains, syntax of expressions, semantics of expressions. 1. Introduction The dataflow algebra (DFA from now on) has developed so far through three stages. The first stage was mainly concerned just with identifying the principles of a model that could capture aspects of the behaviour of systems where the static structure could be described in terms of data flow diagrams [1], and as such this stage was comparatively informal. The second stage was much more formal, and involved the definition of an abstract syntax for the DFA [2], and the use of this by Nike in the work for his PhD thesis [3]. This stage was also characterised by the initial development of tools for manipulating DFA specifications [4], and hence the need to introduce a formal numbering system for different versions of the DFA notation, so that the initial stage was defined to be version 0, and this stage version number 1 (to be precise, 1.0.0). It was at this stage that the concept of DFA specifications being structured into three layers of detail was formalised. More recently, the third stage has involved defining a much simpler abstract syntax for the DFA [5], which renames the three layers in a specification, so that (in the order in which they need to be developed when describing a system) they are now referred to as the topological layer, the event layer and the computation layer. This abstract syntax also made much clearer the structure of the semantic domains involved (known as SeqConst, SeqExp and Seq) and the relationships between them. This stage, which effectively defined version 2 (or, strictly, 2.0.0) of the DFA notation, also provided a much more rigorous definition of the denotational semantics for the event layer of the DFA (that is, the one formerly known as the syntactic layer). As part of this definition, this stage also corrected some errors that had been found in the definitions of the denotational semantics used in version 1, as these definitions had been given in [2]. To complement this, an operational semantics was then also defined for the event layer [6]. The next step in the development of the DFA involved recognising that both the denotational semantics and the operational semantics use models that reflect particular forms for the structures of complex sequences, such that any sequence can be expressed in terms of these particular forms. These forms for sequences could therefore be referred to as normal forms, where a form could be classed as normal if every element of SeqConst was equal to an element that is in the normal form. This then suggests as a consequence that, for any normal form, it should be possible to define a function that will map an arbitrary sequence into one that is equal to it and that is in that normal form. In the early stages of exploring this concept, though, it became obvious that the properties of any such normal forms would have to be intimately associated with the properties of the formal semantics from which they were derived. In the

2 course of analysing these for the denotational semantics as these had been presented in [5], however, a problem was identified in the form of a counter-example to one of the theorems for the soundness of the semantics. This problem clearly needed to be corrected before any further work could be done on the concept of normal forms, and so the purpose of this report is firstly to describe the nature of that problem, and secondly to correct it. Hence, the structure of this report is that it begins by presenting this problem in section 2, and further revising the denotational semantics to correct it, so as to define what will be termed version 3 (strictly 3.0.0) of the DFA notation. A consequence of this revision is that, while it simplifies some aspects of the semantics, the notion of an invariant for them becomes more complex than previously, and so section 3 presents the results required to establish that the proposed property is actually an invariant. Section 4 then presents the revised versions of the results for soundness of the semantics that were given originally in section 9 of [5], and since some of the proofs of these results are quite lengthy this section forms the bulk of the report. Section 5 then similarly presents the revised versions of the results for completeness of the semantics, for which the original versions were given in section 10 of [5]. Finally, section 6 summarises the conclusions of this work, and outlines the various strands of further development that can then build on it. 2. Revising the Denotational Semantics The problem that has been identified with the previous version of the denotational semantics (that is, the version that was presented in [5] as a replacement for the one originally given in [2]) can be illustrated by the following example of three sequences that are equal under the axioms: s = (a ; b ; φ ) (a ; φ) = a ; ((b ; φ) φ) = a ; b ; φ Computing the semantics for each of these three sequences, using the definitions from [5], gives the following results: Sem ((a ; b ; φ ) (a ; φ)) = SemAlt (SemA (a ; b ; φ ), SemA (a ; φ)) = SemAlt (SemSeq (SemSeq (SemS (a), SemS (b)), SemS (φ)), SemSeq (SemS (a), SemS (φ))) = SemAlt (SemSeq (SemSeq (<{a}, >, <{b}, >), <, Λ>), SemSeq (<{a}, >, <, Λ>)) = SemAlt (SemSeq (<{a.b}, >, <, Λ>), <, {a}>) = SemAlt (<, {a.b}>, <, {a}>) = <, {a.b, a}> Sem (a ; ((b ; φ) φ)) = SemSeq (SemS (a), SemAlt (SemSeq (SemS (b), SemS (φ)), SemA (φ))) = SemSeq (<{a}, >, SemAlt (SemSeq (<{b}, >, <, Λ>), <, >)) = SemSeq (<{a}, >, SemAlt (<, {b}>, <, >)) = SemSeq (<{a}, >, <, {b}>) = <, {a.b}> Sem (a ; b ; φ) = SemSeq (SemSeq (SemS (a), SemS (b)), SemS (φ)) = SemSeq (SemSeq (<{a}, >, <{b}, >), <, Λ>) = SemSeq (<{a.b}, >, <, Λ>) = <, {a.b}> Comparing these three results, it should be apparent that the second and third are correct, while the first one is incorrect, because the string a should not be in the invalid set as well as the longer string a.b. Indeed, the insight that arises from this example is that in general the invalid set should not contain two strings such that one is both shorter than the other and also a prefix of it, but there is nothing in this version of the semantics to systematically exclude such possibilities. With hindsight it can be observed that to some extent the reason for having two alternative versions of the semantics of the forbidden action (one for sequencing and the other for alternation) in the version given in [5] was to try to achieve this effect. What this example illustrates, however, is that this mechanism does not achieve this completely. Indeed, the reason why the proof of theorem 14 in [5] breaks down, as demonstrated by the fact that the first two results above are different when this theorem states that they should be the same, is that when calculating the semantics of s2 and s3 this proof ignores the possibility that SemA and SemS may be different, which they are in this particular case. Thus, this proof effectively calculates the semantics of φ as <, Λ> in all cases, rather than also considering the case where it should instead be <, >, and while this apparently produced a proof of the theorem, doing the calculation in this way is what leads in the first case above to the introduction of the additional element a in the final result. To solve this problem, therefore, the semantics must be revised by firstly introducing an additional invariant, to express the fact that the invalid set must not contain any two strings such that one is both shorter than the other and also a prefix 2

3 of it, and then secondly amending the definitions of the operations SemAlt and SemSeq so as to ensure that this additional invariant is also maintained. The new version of the semantics therefore uses much of the machinery introduced in [5], of which the first element is the type PAString with its constant λ and its concatenation operation denoted by a.b for any two strings a and b. For this type it is also convenient to define here the length function, which was not needed in [5]: its form is len : PAString and it is defined by the axioms (i) len (λ) 0 (ii) len (a.b) len (a) + len (b) The second element of this previous machinery is the type PAString with its constant Λ { λ } and its operation A B that is defined as (iii) A B {a, b : PAString a A b B a.b } so that A, B : PAString A = B = A B = Here, as was done in [6], the notations used in Z [7] for existential and universal qualification and for set comprehensions have been adopted, and these notations will be used throughout. An important aspect of the behaviour of this operation, that needs to be noted here, is that while A, B : PAString, a, b : PAString a A b B a.b A B the converse is not true. For instance, if we have A = { a } and B = { b.c }, where b λ, so that A B = { a.b.c }, then it is obvious that a.b A and that c B, but that (a.b).c = a.b.c A B. Furthermore, it is possible to construct examples where one of the strings is a member of A or B and the other is not, but the concatenation of them is a member of A B. For instance, given A = { a, a.b } and B = { c }, so that A B = { a.c, a.b.c }, then if b λ we have a A and b.c B, but a.b.c A B. Similarly, given A = { a } and B = { b.c, c }, so that A B = { a.b.c, a.c }, then (again if b λ) we have a.b A and c B, but again a.b.c A B. The third element of this machinery is that the semantics of any element of SeqConst are defined in terms of the type called SeqSem, where an object of this type is an ordered pair of these sets, with the first element containing the valid strings (meaning those representing sequences of actions that terminate correctly), and the second set the invalid strings (meaning those representing sequences of actions that terminate in the forbidden action). Thus, this type has the constructor operation < v, i > that was used in the calculations above, where v, i PAString, and it has the two observer operations denoted valid (sem) and invalid (sem) for any sem SeqSem, where these operations return the valid and invalid sets respectively, as defined by the axiom (iv) sem : SeqSem < valid (sem), invalid (sem) > = sem To express the invariants that should apply to this type SeqSem, the fourth element of the existing machinery is the concept of one string being a prefix of another, which is represented by two operations. One is an infix operation called IsPrefixOf, with signature PAString PAString Bool, and defined as (v) x IsPrefixOf y { z PAString : x.z = y } with the properties (vi) (vii) x : PAString x IsPrefixOf x = true x : PAString λ IsPrefixOf x = true The other is an operation called Prefixes, with signature PAString PAString, which is defined as (viii) Prefixes (x) { y : PAString y IsPrefixOf x y } which is generalised to the signature PAString PAString by the definition (ix) Prefixes (x) UPr efixes(y) y x 3

4 As an aside, it may be noted that this operator IsPrefixOf corresponds to the notion of the first string being less than or equal to the second one, but the latter notion could also be understood as extending to the more general concept of the first being a substring of the second. This more general notion is not required here, and so the symbol IsPrefixOf will continue to be used, rather than. For the revised definitions that need to be created here, this concept now needs to be extended to the notion of one string not only being a prefix of another, but also being shorter. For the same reason, rather than describing this in terms of one string being strictly less than another, and denoting it using the symbol <, we will describe it as the first string being a proper prefix of the second. To achieve this we introduce a further infix operation IsProPrefixOf, also with signature PAString PAString Bool, which is defined as (x) x IsProPrefixOf y { z : PAString z λ x.z = y } and which therefore has the properties (xi) (xii) x : PAString x IsProPrefixOf x = false x : PAString x λ λ IsProPrefixOf x = true We also itnorduce a further operation ProPrefixes, with signature PAString PAString, which is defined as (xiii) ProPrefixes (x) { y : PAString y IsProPrefixOf x y } and which therefore has the property (xiv) ProPrefixes (λ) = This is then generalised to the signature PAString PAString by the definition (xv) ProPrefixes (x) UProPrefixes(y) y x and this generalisation has the property that (xvi) ProPrefixes ( ) = ProPrefixes (Λ) = Then, the required invariant for SeqSem has to be strengthened from the form used in [5], which was to sem : SeqSem Prefixes (valid(sem)) invalid(sem) = (xvii) sem : SeqSem (Prefixes (valid(sem)) invalid(sem) = ) ( x1, x2 : PAString x1 invalid(sem) x2 invalid(sem) x1 IsProPrefixOf x2) which can alternatively be expressed as (xviii) sem : SeqSem ((Prefixes (valid(sem)) invalid(sem)) = ) ((invalid(sem) ProPrefixes (invalid(sem))) = ) Given this additional constraint, then modifying the definitions of the functions SemAlt and SemSeq to ensure that it holds results in a significant simplification, in that it is no longer necessary to have separate semantic functions SemA and SemS. Hence, the revised definition of the semantics can be expressed simply in terms of the following axioms. (xix) Sem (φ) = <, Λ > (xx) Sem (ε) < Λ, > (xxi) Sem (a) < {a }, > (xxii) Sem (s1 ; s2) SemSeq ( Sem (s1), Sem (s2) ) (xxiii) Sem (s1 s2) SemAlt ( Sem (s1), Sem (s2) ) (xxiv) SemSeq (x, y) < v, i Prefixes (v) ProPrefixes (i) > where 4

5 (xxv) v valid (x) valid (y) and i invalid (x) ( valid (x) invalid (y) ) SemAlt (x, y) < v, i Prefixes (v) ProPrefixes (i) > where v valid (x) valid (y) and i invalid (x) invalid (y) Alternatively, the last two of these can also be written as (xxvi) SemSeq (x, y) < v, i (Prefixes (v) ProPrefixes (i)) > where v valid (x) valid (y) and i invalid (x) ( valid (x) invalid (y) ) (xxvii) SemAlt (x, y) < v, i (Prefixes (v) ProPrefixes (i)) > where v valid (x) valid (y) and i invalid (x) invalid (y) using the standard result from set theory that, for any sets x, y and z, x y z = x (y z). A consequence of this revised definition is that a further invariant will hold for SeqSem, namely (xxviii) sem : SeqSem valid(sem) invalid(sem) By contrast with the previous version of the invariant that was given in [5], though, the invariant that combines this with either (xvii) or (xviii) is sufficiently complicated that one can not simply assume as obvious the fact of it being an invariant, and so instead it needs to be proven that this invariant really is an invariant, and this is done in the next section. In proving properties of this revised version of the semantics, such as this, we can use not only the properties that were given in [5] for the prefixes, but also more general properties, which are expressed as the following theorems. Theorem 1. x, y : PAString Prefixes (x y) = Prefixes (x) Prefixes (y) p Prefixes (x y) ( q : PAString p.q x) ( q : PAString p.q y) (p Prefixes (x)) (p Prefixes (y)) p (Prefixes (x) Prefixes (y)) Theorem 2. x, y : PAString Prefixes (x.y) = Prefixes (x) ({x} Prefixes (y)) Prefixes (x.y) = {p : PAString p IsPrefixOf x.y p } = {p : PAString p IsPrefixOf x p } {p : PAString p IsPrefixOf y x.p } = Prefixes (x) ({x} Prefixes (y)) Theorem 3. x, y : PAString x = y = Prefixes (x y) = x, y : PAString y Prefixes (x y) = Prefixes (x) (x Prefixes (y)) For the first clause we have x = y = x y = Prefixes (x y) = For the second clause we have y Prefixes (x y) = UPr efixes(p) p x y = U(Pr efixes(p1) ({p1} Pr efixes(p2)) from theorem 2 p1 x, p2 y = UPr efixes(p1) U ({p1} UPr efixes(p2)) p1 x p1 x = Prefixes (x) (x Prefixes (y)) p2 y The results that were given in [5] then follow directly from these more general results, viz: 5

6 Theorem 4. x, y PAString Prefixes (x) Prefixes (x y) Follows immediately from theorem 1. Theorem 5. x, y PAString Prefixes (x) Prefixes (x y) Follows immediately from theorem 3. Theorem 6. x, y PAString x Prefixes (y) Prefixes (x y) Also follows immediately from theorem 3. As well as these, there are similar results for the proper prefixes, which are expressed as the following theorems. Theorem 7. x, y : PAString ProPrefixes (x y) = ProPrefixes (x) ProPrefixes (y) p ProPrefixes (x y) ( q : PAString q λ p.q x) ( q : PAString q λ p.q y) (p ProPrefixes (x)) (p ProPrefixes (y)) p (ProPrefixes (x) ProPrefixes (y)) Theorem 8. x, y : PAString ProPrefixes (x.y) = ProPrefixes (x) ({x} ProPrefixes (y)) ProPrefixes (x.y) = {p : PAString p IsProPrefixOf x.y p } = {p : PAString p IsProPrefixOf x p } {p :PAString p IsProPrefixOf y x.p} = ProPrefixes (x) ({x} ProPrefixes (y)) Theorem 9. x, y : PAString x = y = ProPrefixes (x y) = x, y : PAString y ProPrefixes (x y) = ProPrefixes (x) (x ProPrefixes (y)) For the first clause we have x = y = x y = ProPrefixes (x y) = For the second clause we have y ProPrefixes (x y) = UPr opr efixes (p) p x y = U(Pr opr efixes (p1) ({p1} Pr opr efixes(p2)) from theorem 8 p1 x, p2 y = UPr opr efixes (p1) U ({p1} UPr opr efixes(p2) ) p1 x p1 x = ProPrefixes (x) (x ProPrefixes (y)) p2 y Theorem 10. x, y : PAString ProPrefixes (x) ProPrefixes (x y) 6

7 Follows immediately from theorem 7. Theorem 11. x, y : PAString ProPrefixes (x) ProPrefixes (x y) Follows immediately from theorem 9. Theorem 12. x, y : PAString x ProPrefixes (y) ProPrefixes (x y) Also follows immediately from theorem 9. There is also one other result for the proper prefixes that is new, in the sense that an equivalent for the prefixes had not been needed, and this is expressed as the following theorem. Theorem 13. x, y : PAString (ProPrefixes (x) ProPrefixes (x y)) (ProPrefixes (x y) ProPrefixes (x) ProPrefixes (y)) For the first clause in the theorem we need to show that p : PAString p ProPrefixes (x y) p ProPrefixes (x) and for this we have p ProPrefixes (x y) q : PAString q λ p.q x y p.q x p ProPrefixes (x) For the second clause in the theorem we need to show that p : PAString p ProPrefixes (x) ProPrefixes (y) p ProPrefixes (x y) and for this we have p ProPrefixes (x y) ( q : PAString q λ p.q x) ( r : PAString r λ p.r y) ( q : PAString q λ p.q x) ( r : PAString r λ p.r y) p.q x p.q y p ProPrefixes (x y) The final element of the previous machinery that is needed is the group of results that related the various set operators. Three of these were given in [5] as theorems 5, 6 and 7, and since they have been established there they are repeated here simply as the following axioms: (xxvix) x, y, z : PAString (x (y z)) (x z) = (x y) (x z) (xxx) x, y, z : PAString (x y) (x z) = x (y z) (xxxi) x, y, z : PAString (x y) z = (x z) (y z) Four others were stated in [5] as axioms (xviii) to (xxi), and so are repeated here as axioms also, viz: (xxxii) x, y, z : PAString (x y) z = (x z) (y z) (xxxiii) x, y, z : PAString ((x y) z) y = (x z) y (xxxiv) x, y, z : PAString y z x y = (x z) (y z) (xxxv) x, y, z : PAString y z (x y) z = (x z) y = x z Finally, a number of additional results need to be added to these. Firstly there are two that were used extensively in the proofs of the theorems in [5], but not actually stated formally, viz: 7

8 (xxxvi) x, y : PAString x y = x y = x and the related result that (xxxvii) x, y : PAString x y y = Secondly there is a result that is related to (xxxiii), and is: (xxxviii) x, y, z : PAString (x y) z = (x z) (y z) Finally, there is the property that the operator is associative, and this is expressed as the following theorem. Theorem 14. x, y, z : PAString (x y) z = x (y z) p, q, r : PAString p x q y r z p.q (x y) (p.q).r (x y) z p.q.r (x y) z and p, q, r : PAString p x q y r z q.r (y z) p.(q.r) x (y z) p.q.r x (y z) Hence p, q, r : PAString p x q y r z p.q.r (x y) z p.q.r x (y z) (x y) z = x (y z) 3. The Invariant Property for the Semantics In order to show that the invariant properties for the semantics given in axioms (xviii) and (xxviii) in the previous section do actually form an invariant, a number of intermediate definitions and results are required. Both in defining these and proving properties of them, all references to axioms are to ones in the previous section. The first of these definitions introduces the notion of the subset of a set of strings that just consists of the longest strings in the set, and this is represented as a function Longest which has signature PAString PAString, and which is defined as Longest (x) {y : PAString (y x) ( z : PAString z x len (z) len (y)) y } From this definition it is then obvious that x : PAString Longest (x) x The properties of the set computed by this function can then be expressed by the following theorem. Theorem 15. x : PAString (x Longest (x) ) ( p, q : PAString p Longest (x) q Longest (x) len (p) = len (q)) The proof is by induction over the cardinality of the set x, where the base cases are for the cardinalities 0 and 1, and the induction hypothesis is that, for any n > 1, the theorem holds x : PAString x = n and the induction step is to show that it therefore holds x : PAString x = n + 1. Base case: x = Longest (x) =, and so the theorem trivially holds. Base case: x = { y } where y : PAString Longest (x) = { y }, and so again the theorem trivially holds. Inductive case: for any arbitrary integer n > 0 let x1 : PAString be such that x1 = n, so that by the induction hypothesis the theorem holds for x1. Then, let x = x1 { y } where y : PAString, which gives rise to three sub-cases, depending on the comparison between len (y) and any arbitrary element p of Longest (x1), as follows. 8

9 Sub-case (i): p : PAString p Longest (x1) len (p) > len (y) p Longest (x) Longest (x) = Longest (x1) and so the theorem holds for x by the induction hypothesis. Sub-case (ii): p : PAString p Longest (x1) len (p) = len (y) p Longest (x) Longest (x) = Longest (x1) { y } and since the theorem holds for x1 by the induction hypothesis, it must therefore hold for x too. Sub-case (iii): p : PAString p Longest (x1) len (p) < len (y) Longest (x) = { y } and so the theorem trivially holds for x. The induction then starts from the base cases of n = 0 and n = 1, where n = x, and the inductive step is that, since the theorem holds for all sets x with cardinality n, by the case analysis above it must also hold for all sets x with cardinality n+1. Hence the result is proved for successive values of n from 0 upwards, which establishes the theorem as a whole. The significance of this property for the function Longest then follows from the relationship between the lengths of a string and its proper prefixes, which is expressed as the following theorem. Theorem 16. p, q : PAString q ProPrefixes (p) len (q) < len (p) q ProPrefixes (p) x : PAString x λ p = q.x len (x) > 0 len (p) = len (q) + len (x) len (q) = len (p) len (x) len (x) > 0 len (q) < len (p) From this we then have the result that is expressed as the following theorem. Theorem 17. x : PAString Longest (x) x ProPrefixes (x) p : PAString p Longest (x) p x since Longest (x) x and q : PAString q ProPrefixes (p) len (q) < len (p) from theorem 16 q : PAString q ProPrefixes (x) len (q) < len (p) p ProPrefixes (x) p x ProPrefixes (x) Longest (x) x ProPrefixes (x) Given these results, then the invariant property for the semantics that combines those given in axioms (xviii) and (xxviii) can be expressed and proved as in the following theorem. Theorem 18. s : SeqConst, v, i : PAString Sem(s) = <v, i> (v i ) ((Prefixes (v) i) = ) ((i ProPrefixes (i)) = ) The proof is by structural induction over the three main cases that correspond to the possible structures of the object s. The induction hypothesis is that, for any n > 1, the theorem holds s : SeqConst SCC (s) < n and the induction step is to show that it therefore holds s : SeqConst SCC (s) = n. Base case: an action, so that n = 1. This has three sub-cases, for the possible values of the action. (i) s ε v = Λ i = (v i ) ((Prefixes (v) i) = ) ((i ProPrefixes (i)) = ) by calculation. 9

10 s φ v = i = Λ Prefixes (v) = ProPrefixes (i) = (v i ) ((Prefixes (v) i) = ) ((i ProPrefixes (i)) = ) by calculation. s a : PA v = {a} i = (v i ) ((Prefixes (v) i) = ) ((i ProPrefixes (i)) = ) by calculation. Hence, the theorem holds for all three sub-cases of this base case. Recursive case: an object constructed by alternation, so that s s1 s2. Let Sem(s1) = <v1, i1> and Sem(s2) = <v2, i2>, so that v = v1 v2 and i = i1 i2 Prefixes (v) ProPrefixes (i1 i2). Then let x = i1 i2 ProPrefixes (i1 i2) and y = Prefixes (v) Prefixes (v) i = y x y = and let x = i1 i2 Prefixes (v) and y = ProPrefixes (i1 i2) i ProPrefixes (i1 i2) = x y y = and ProPrefixes(i) y (i ProPrefixes (i)) = x y y = axiom (xxxvii) axiom (xxxvii) Finally, to show v i there are two sub-cases. The first of these sub-cases is v1 v2 v. The second of these sub-cases is v1 = v2 = v = Prefixes (v) = i = i1 i2 ProPrefixes (i1 i2) i Longest (i1 i2) from theorem 17 i from theorem 15. Hence, since the theorem holds for both of these sub-cases, it holds for this recursive case. Recursive case: an object constructed by sequencing so that s s1 ; s2. Let Sem(s1) = <v1, i1> and Sem(s2) = <v2, i2>, so that v = v1 v2 and i = i1 (v1 i2) Prefixes (v) ProPrefixes (i1 (v1 i2)). Then let x = i1 (v1 i2) ProPrefixes (i1 (v1 i2)) and y = Prefixes (v) Prefixes (v) i = y x y = and let x = i1 (v1 i2) Prefixes (v) and y = ProPrefixes (i1 (v1 i2)) i ProPrefixes (i1 (v1 i2)) = x y y = and ProPrefixes(i) y (i ProPrefixes (i)) = x y y = axiom (xxxvii) axiom (xxxvii) Finally, to show v i there are three sub-cases. The first of these sub-cases is v1 v2 v. The second of these sub-cases is v1 = v1 i2 = i = i1 ProPrefixes (i1) i Longest (i1) from theorem 17 and i1 induction hypothesis Longest (i1) from theorem 15. i from theorem 15. The third of these sub-cases is v1 v2 = i2 induction hypothesis v1 i2 and i = i1 (v1 i2) ProPrefixes (i1 (v1 i2)) i Longest (i1 (v1 i2)) from theorem 17 Longest (i1 (v1 i2)) since v1 i2 i from theorem 15. Hence, since the theorem holds for all three of these sub-cases, it holds for this recursive case. The induction then starts from the base case, which is a single action, with SCC equal to one, and the inductive step is that, since the theorem holds for all sequences with SCC < n, by the case analysis above it must also hold for all sequences with SCC = n. Hence the result is proved for successive values of n from 1 upwards, which establishes the theorem as a whole. 10

11 A corollary of this invariant is that there are three possible cases for the construction of the invalid set. The first of these is that it can be empty, and in this case the valid set must be non-empty. The second case is that it can consist of just the empty string. The third case is that it can contain at least one non-empty string, and in this case it can not also contain the empty string. These cases are needed for one of the proofs in the following section, and so this property needs to be established formally, as the following theorem. Theorem 19. s : SeqConst, v, i : PAString Sem(s) = <v, i> (i = ) (i = Λ) ( x : PAString x λ x i λ i) The proof is by analysis of the different possible cases for the cardinality of i. Case (i): i = 0 i =. Case (ii): i = 1 x : PAString i = { x }. There are then two sub-cases for this, depending on the value of x. x = λ i = Λ. x λ λ i x : PAString x λ x i λ i. Case (iii): i > 1. This case requires an argument by contradiction to show that λ i, as follows. Suppose that λ i. Then, since i > 1, there must be at least one other element of i, so let i = i λ. Then, i > 1 i > 0 x : PAString x λ x i x : PAString x λ x i. Then ProPrefixes (i) = ProPrefixes ( { λ } ) ProPrefixes (i ) from theorem 7 = ProPrefixes (i ) from axiom (xvi) and ProPrefixes (x) ProPrefixes (i ) = ProPrefixes (i) from axiom (xv) and x λ λ ProPrefixes (x) from axiom (xii) λ ProPrefixes (i). But i ProPrefixes (i) = from theorem 18 which gives a contradiction between the assumption that λ i and the conclusion that λ ProPrefixes (i). Hence the assumption must be false, so that λ i. Hence, we have x : PAString x λ x i λ i. Hence the theorem holds for all three cases, and so holds. Also, there are some properties of the invalid set in the semantics that are important for some of the proofs in the following section, and these are defined by the following pair of theorems, one for objects in SeqConst that are constructed by alternation and the other for objects that are constructed by sequencing. Theorem 20. s1, s2 : SeqConst, v1, v2, v, i1, i2, im, i : PAString, x : PAString Sem (s1) = <v1, i1> Sem (s2) = <v2, i2> Sem (s1 s2) = <v, i> im = i1 i2 ( x ProPrefixes (im) x ProPrefixes (i) ) ( x ProPrefixes (im) x Prefixes (v) x ProPrefixes (i) ) For the first part of the theorem the proof is as follows. i = im Prefixes (v) ProPrefixes (im) from axiom (xxiv) x i x im x Prefixes (v) x ProPrefixes (im) im i ProPrefixes (im) ProPrefixes (i) from theorem 7 ( x ProPrefixes (im) x ProPrefixes (i) ). For the second part of the theorem, informally the proof consists of showing that, for any string x in ProPrefixes (im) that is not also in Prefixes (v), there must be a longer string z in im, meaning that x is a proper prefix of z, but that z is not in ProPrefixes (im). Consequently, this string z is not removed from im by the terms Prefixes (v) or ProPrefixes (im), and so is also in i, which means that the shorter string x must be in ProPrefixes (i). Formally, the proof is as follows. 11

12 x ProPrefixes (im) x ProPrefixes (i1 i2) x ProPrefixes (i1) x ProPrefixes (i2) from theorem 7. Hence, there are three cases to be considered, depending on whether x is a member of one or the other of these two sets, or both. Case (i): x ProPrefixes (i1) x ProPrefixes (i2). x ProPrefixes (i1) z: PAString z i1 x IsProPrefixOf z Then z i1 z ProPrefixes (i1) from theorem 18. If we had z ProPrefixes (i2) x ProPrefixes (i2), but x ProPrefixes (i2) z ProPrefixes (i2). Hence z i1 z im z ProPrefixes (i1) z ProPrefixes (i2) z ProPrefixes (im) w: PAString w im z IsProPrefixOf w. Also, if we had z Prefixes (v) x Prefixes (v), since x IsProPrefixOf z, but x Prefixes (v) z Prefixes (v). Hence z im z Prefixes (v) z ProPrefixes (im) z i and z i x IsProPrefixOf z x ProPrefixes (i), so that the theorem holds for this case. Case (ii): x ProPrefixes (i1) x ProPrefixes (i2). This case is symmetrical with case (i), and so the symmetrical argument applies, and does not need to be repeated in detail. Case (iii): x ProPrefixes (i1) x ProPrefixes (i2). By the argument used in case (i) we must have z1: PAString z1 im x IsProPrefixOf z1 z1 ProPrefixes (i1) z1 Prefixes (v) w: PAString w i1 z1 IsProPrefixOf w and z2: PAString z2 im x IsProPrefixOf z2 z2 ProPrefixes (i2) z2 Prefixes (v) w: PAString w i2 z2 IsProPrefixOf w. Then there are three possible sub-cases, depending on how z1 and z2 are related. Sub-case (a): z1 IsProPrefixOf z2 z1 ProPrefixes (im) ( z2 IsProPrefixOf z1) ( w: PAString w im z1 IsProPrefixOf w) ( w: PAString w im z2 IsProPrefixOf w) z2 ProPrefixes (im) Hence z2 im z2 Prefixes (v) z2 ProPrefixes (im) z2 i and z2 i x IsProPrefixOf z2 x ProPrefixes (i), so that the theorem holds for this sub-case. Sub-case (b): z2 IsProPrefixOf z1, so that the argument is symmetrical with that for sub-case (a), and gives z1 im z1 Prefixes (v) z1 ProPrefixes (im) z1 i and z1 i x IsProPrefixOf z1 x ProPrefixes (i), so that the theorem holds for this sub-case. Sub-case (c): ( z1 IsProPrefixOf z2) ( z2 IsProPrefixOf z1) ( w: PAString w im z1 IsProPrefixOf w) ( w: PAString w im z2 IsProPrefixOf w) ( w: PAString w im (z1 IsProPrefixOf w) (z2 IsProPrefixOf w)) z1 ProPrefixes (im) z2 ProPrefixes (im). Hence z1 im z1 Prefixes (v) z1 ProPrefixes (im) z1 i and z1 i x IsProPrefixOf z1 x ProPrefixes (i), and similarly z2 im z2 Prefixes (v) z2 ProPrefixes (im) z2 i and z2 i x IsProPrefixOf z2 x ProPrefixes (i), so that the theorem holds from both z1 and z2, and so holds for this sub-case. Hence, it holds for all three sub-cases, and so holds for this case, which means that it holds for all three main cases, and thus holds. Theorem 21. s1, s2 : SeqConst, v1, v2, v, i1, i2, im, i : PAString, x : PAString Sem (s1) = <v1, i1> Sem (s2) = <v2, i2> Sem (s1 ; s2) = <v, i> im = i1 (v1 i2) ( x ProPrefixes (im) x ProPrefixes (i) ) ( x ProPrefixes (im) x Prefixes (v) x ProPrefixes (i) ) 12

13 For the first part of the theorem the proof is as follows. i = im Prefixes (v) ProPrefixes (im) from axiom (xxiv) x i x im x Prefixes (v) x ProPrefixes (im) im i ProPrefixes (im) ProPrefixes (i) from theorem 7 ( x ProPrefixes (im) x ProPrefixes (i) ). For the second part of the theorem, the proof has a similar structure to that of theorem 20, except that there are two possible constructions for z that need to be considered, as if x is in v1 i2 then the longer string must be of the form y.z in v1 i2, where y is in v1 and z is in i2. Thus, formally, the proof is as follows. x ProPrefixes (im) x ProPrefixes (i1 (v1 i2)) x ProPrefixes (i1) x ProPrefixes (v1 i2) from theorem 7. Hence, there are three cases to be considered, depending on whether x is a member of one or the other of these two sets, or both. Case (i): x ProPrefixes (i1) x ProPrefixes (v1 i2). x ProPrefixes (i1) z: PAString z i1 x IsProPrefixOf z Then z i1 z ProPrefixes (i1) from theorem 18. If we had z ProPrefixes (v1 i2) x ProPrefixes (v1 i2), but x ProPrefixes (v1 i2) z ProPrefixes (v1 i2). Hence z i1 z im z ProPrefixes (i1) z ProPrefixes (v1 i2) z ProPrefixes (im) w: PAString w im z IsProPrefixOf w. Also, if we had z Prefixes (v) x Prefixes (v), since x IsProPrefixOf z, but x Prefixes (v) z Prefixes (v). Hence z im z Prefixes (v) z ProPrefixes (im) z i and z i x IsProPrefixOf z x ProPrefixes (i), so that the theorem holds for this case. Case (ii): x ProPrefixes (i1) x ProPrefixes (v1 i2). x ProPrefixes (v1 i2) x (ProPrefixes (v1) (v1 ProPrefixes (i2))) from theorem 9 x (v1 ProPrefixes (i2)). Hence, x must be of the form y.z where y v1 and z ProPrefixes (i2) z i2 (from theorem 18), and indeed there may be several such forms (ie with different strings y and z ). The argument then involves a process, in which if there is only any one such form the process starts from that, and otherwise an arbitrary one must be selected. Then the next step in the process is to construct z i2 such that z ProPrefixes (z). Such a z must exist, and it must be unique, because if there was another one, denoted Z, that was different, then from theorem 18 we would have to have either z ProPrefixes (Z) z i2, or Z ProPrefixes (z) Z i2, and so either way there would be a contradiction. Then, also from theorem 18, z i2 z ProPrefixes (i2), and this gives rise to two possibilities. If this y.z was the only such form for x, then there can not be any y, z such that y.z = y.z and y v1 and z ProPrefixes (i2), and so we must have y.z (v1 ProPrefixes (i2)). Alternatively, if such a form y.z does exist, then the process takes this instead of the original y.z, and repeats the construction of finding a new z such that z i2 z ProPrefixes (z). Such repetitions of the construction must eventually terminate with the longest possible such y.z, with which the process terminates and for which it will be the case that: y.z = x z ProPrefixes (z) z i2 y.z (v1 i2) y.z (v1 ProPrefixes (i2)). If we had y.z ProPrefixes (i1) x ProPrefixes (i1), but x ProPrefixes (i1) y.z ProPrefixes (i1). Hence y.z v1 i2 z im y.z ProPrefixes (i1) y.z (v1 ProPrefixes (i2)) y.z ProPrefixes (im) w: PAString w im y.z IsProPrefixOf w. 13

14 Also, if we had y.z Prefixes (v) x Prefixes (v), since x IsProPrefixOf y.z, but x Prefixes (v) y.z Prefixes (v). Hence y.z im y.z Prefixes (v) y.z ProPrefixes (im) y.z i and y.z i x IsProPrefixOf y.z x ProPrefixes (i), so that the theorem holds for this case. Case (iii): x ProPrefixes (i1) x ProPrefixes (v1 i2). By the argument used in case (i) we must have z1: PAString z1 im x IsProPrefixOf z1 z1 ProPrefixes (i1) z1 Prefixes (v) w: PAString w i1 z1 IsProPrefixOf w and y, z2: PAString y.z2 im x IsProPrefixOf y.z2 y.z2 ProPrefixes (i2) y.z2 Prefixes (v) w: PAString w i2 y.z2 IsProPrefixOf w. Then there are three possible sub-cases, depending on how z1 and y.z2 are related. Sub-case (a): z1 IsProPrefixOf y.z2 z1 ProPrefixes (im) ( y.z2 IsProPrefixOf z1) ( w: PAString w im z1 IsProPrefixOf w) ( w: PAString w im y.z2 IsProPrefixOf w) y.z2 ProPrefixes (im) Hence y.z2 im y.z2 Prefixes (v) y.z2 ProPrefixes (im) y.z2 i and y.z2 i x IsProPrefixOf y.z2 x ProPrefixes (i), so that the theorem holds for this sub-case. Sub-case (b): y.z2 IsProPrefixOf z1 y.z2 ProPrefixes (im) ( z1 IsProPrefixOf y.z2) ( w: PAString w im y.z2 IsProPrefixOf w) ( w: PAString w im z1 IsProPrefixOf w) z1 ProPrefixes (im) Hence z1 im z1 Prefixes (v) z1 ProPrefixes (im) z1 i and z1 i x IsProPrefixOf z1 x ProPrefixes (i), so that the theorem holds for this sub-case. Sub-case (c): ( z1 IsProPrefixOf y.z2) ( y.z2 IsProPrefixOf z1) ( w: PAString w im z1 IsProPrefixOf w) ( w: PAString w im y.z2 IsProPrefixOf w) ( w: PAString w im (z1 IsProPrefixOf w) (y.z2 IsProPrefixOf w)) z1 ProPrefixes (im) y.z2 ProPrefixes (im). Hence z1 im z1 Prefixes (v) z1 ProPrefixes (im) z1 i and z1 i x IsProPrefixOf z1 x ProPrefixes (i), and similarly y.z2 im y.z2 Prefixes (v) y.z2 ProPrefixes (im) y.z2 i and y.z2 i x IsProPrefixOf y.z2 x ProPrefixes (i), so that the theorem holds from both z1 and y.z2, and so holds for this sub-case. Hence, it holds for all three sub-cases, and so holds for this case, which means that it holds for all three main cases, and thus holds. 4. Soundness of the Axioms and Formal Semantics As in [5], we then need to show that the axioms of the algebra are sound with respect to the semantics, although (as was observed in [5]) it might be more accurate to refer to this as showing that the semantics are sound with respect to the axioms. This involves proving that the semantics are consistent with the axioms of the algebra, so that a theorem is required for each axiom. In [5] these were theorems 8 to 16, and the statements of the corresponding theorems here are identical to these, but of course the proofs are different in detail (even where they have similar structures), since the working in them uses the revised definitions of the semantics from the previous section. For some of these theorems, though, the structures of the proofs need to be quite different from those in [5], because it is not practical to try to prove them simply by algebraic manipulation, and so a new proof strategy has to be adopted. To reflect this, the order of the theorems has been changed from [5], so as to deal first with the associative property of the alternation operator rather than of the sequencing operator, as these both require the new strategy, but the form of it is simpler for the alternation operator than it is for sequencing. Other aspects of the presentation of these theorems are, though, very similar to that in [5]. In particular, to make the results more readable the convention is adopted for the theorems in this section that elements of SeqConst are shown in bold face. Also, it should be noted that references to axioms in the notes on proof steps are to ones in section 2. 14

15 Theorem 22. s1, s2, s3 : SeqConst Sem ( s1 (s2 s3) ) = Sem ( (s1 s2) s3 ) Let Sem ( s1 ), Sem ( s2 ) and Sem ( s3 ) be denoted by <v1, i1>, <v2, i2> and <v3, i3> respectively, where (from theorem 18): i1 Prefixes (v1) =, i2 Prefixes (v2) =, i3 Prefixes (v3) =, i1 ProPrefixes (i1) =, i2 ProPrefixes (i2) = and i3 ProPrefixes (i3) =. Then let Sem ( s1 s2 ) be denoted by <v12, i12>, Sem ( s2 s3 ) be denoted by <v23, i23>, Sem ( s1 (s2 s3) ) be denoted by <vl, il>, and Sem ( (s1 s2) s3 ) be denoted by <vr, ir>. The proof consists of constructing a common form, which will be denoted by <vc, ic>, and then showing that <vl, il> = <vc, ic> = <vr, ir>. Thus, for the first half of this we have that Sem ( s2 s3 ) = <v23, i23>, where v23 = v2 v3 and i23 = im23 pv23 pi23, and where im23 = i2 i3, pv23 = Prefixes (v23) and pi23 = ProPrefixes (im23) and Sem ( s1 (s2 s3) ) = <vl, il>, where vl = v1 v23 and il = iml pvl pil, and where iml = i1 i23, pvl = Prefixes (vl) and pil = ProPrefixes (iml). The common form is given by <vc, ic>, where vc = v1 v2 v3 and ic = im pvc ppc, and where im = i1 i2 i3, pvc = Prefixes (vc) and ppc = ProPrefixes (im). To show that <vl, il> = <vc, ic> it is necessary to show that vl = vc, which follows immediately from the associativity of, and from which we have pvl = Prefixes (vl) = Prefixes (vc) = pvc, and to show that il = ic. Attempting to show the latter by algebraic reduction is not practical, and instead it requires a case analysis of the various possibilities for an arbitrary element x : PAString being either a member or not a member of the various sets involved. The easiest way of presenting these cases is to identify two major cases, corresponding to whether x is or is not a member of i1, and then within each of those to construct a truth table for the remaining combinations. Case (i) x i1, from which we have x Prefixes (v1) from theorem 18. Hence x pv23 x pvl x pvc from theorem 1. Also x i1 x ProPrefixes (i1) from theorem 18 and so x ProPrefixes (i23) x pil from theorem 7. Also, we have that x pi23 x ProPrefixes (im23) and ProPrefixes (im23) ProPrefixes (im) from theorem 7 so that x pi23 x ppc and since x ProPrefixes (i1) we also have x ppc x pi23, so that x pi23 x ppc. In principle the truth table for this case then needs to have four independent variables, corresponding to whether x is or is not a member of im23, pv23, pi23 or ProPrefixes (i23) respectively, where we denote the last of these as PP(i23). In practice, though, the values of these variables are subject to the constraints from theorem 20, so that: x pi23 x ProPrefixes (i23) and x pv23 x pi23 x ProPrefixes (i23). Hence, the required truth table is as follows, where 0 denotes false and 1 denotes true for the properties of x being an element of the set specified in the appropriate column heading of the table. 15

16 im23 pv23 pi23 PP(i23) i23 iml pvl il im ppc ic Case (ii) x i1, which means that x could be an element of Prefixes (v1), or ProPrefixes (i1), or neither or both. For these possibilities we have that: x Prefixes (v1) x pvl x pvc, irrespective of whether x is or is not a member of pv23, whereas if x Prefixes (v1) then the relationships between pv23, pvl and pvc are similar to those in case (i) above, viz x pv23 x pvl x pvc. This situation can be represented in the truth table by replacing any zeros in the column for pvl (and hence for pvc too) by a value that will be denoted P(v1), representing the value of whether x is or is not a member of Prefixes (v1). Similarly, x ProPrefixes (i1) x pil, irrespective of whether x is or is not a member of ProPrefixes (i23), and x ProPrefixes (i1) x ppc, irrespective of whether x is or is not a member of pi23, whereas if x ProPrefixes (i1) then the relationships between PP(i23), pil, pi23 and ppc are similar to those in case (i) above, viz x ProPrefixes (i23) x pil, and x pi23 x ppc. This situation of dependence on whether x ProPrefixes (i1) can be represented in the truth table in similar fashion, by replacing any zeros in the columns for pil and ppc by a value that will be denoted PP(i1), representing the value of whether x is or is not a member of ProPrefixes (i1). A consequence of these is that there are some elements in the columns for il and ic where the values that need to be entered are 1 P(v1) PP(i1) = 1 (P(v1) PP(i1)), which evaluates to 1 if x is not a member of either P(v1) or PP(i1), and to 0 otherwise. These elements will be denoted NE (short for not either ). Apart from these changes, the structure of the table is very similar to that for case (i), although since x i1 x i1 i2 i3 x i2 i3 x im x im23 the column of the table for im is redundant, but instead (as implied above) a separate column needs to be introduced for pil. Hence, the required truth table is as follows. im23 pv23 pi23 PP(i23) i23 iml pvl pil il ppc ic P(v1) PP(i1) 0 PP(i1) P(v1) PP(i1) 0 PP(i1) PP(i1) P(v1) PP(i1) NE PP(i1) NE P(v1) PP(i1) 0 PP(i1) PP(i1) Hence, for both cases we have that il = ic, as shown by the corresponding columns in the two tables, from which it follows that <vl, il> = <vc, ic>. 16

17 The second half of the proof is identical in structure, and for it we have that Sem ( s1 s2 ) = <v12, i12>, where v12 = v1 v2 and i12 = im12 pv12 pi12, and where im12 = (i1 i2), pv12 = Prefixes (v12) and pi12 = ProPrefixes (im12) and Sem ( (s1 s2) s3 ) = <vr, ir>, where vr = v12 v3 and ir = imr pvr pir, and where imr = i12 i3, pvr = Prefixes (vr) and pir = ProPrefixes (imr). The common form is as defined above, and again to show that <vr, ir> = <vc, ic> it is necessary to show that vr = vc, which again follows immediately from the associativity of, and from which we have pvr = Prefixes (vr) = Prefixes (vc) = pvc, and to show that ir = ic, where again the latter requires a case analysis of the various possibilities for an arbitrary element x : PAString being either a member or not a member of the various sets involved. Here the two major cases correspond to whether x is or is not a member of i3, and for each of these a truth table is constructed for the remaining combinations. Case (i) x i3, from which we have as in the first half of the proof x Prefixes (v3) from theorem 18 Hence x pv12 x pvr x pvc from theorem 7. Also x i3 x ProPrefixes (i3) from theorem 18 and so x ProPrefixes (i23) x pil from theorem 7. Also, we have that x pi12 x ProPrefixes (im12) and ProPrefixes (im12) ProPrefixes (im) from theorem 7 so that x pi12 x ppc and since x ProPrefixes (i3) we also have x ppc x pi12, so that x pi12 x ppc. Again the truth table for this case needs in principle to have four independent variables, corresponding to whether x is or is not a member of i1 i2, pv12, pi12 or ProPrefixes (i12) respectively, where the last of these is denoted as PP(i12), but again in practice these are subject to the constraints from theorem 20, so that x pi12 x PP(i12) and x pv12 x pi12 x ProPrefixes (i12). The required truth table is then as follows. im12 pv12 pi12 PP(i12) i12 imr pvr ir im ppc ic Case (ii) x i3, which means that x could be an element of Prefixes (v3), or ProPrefixes (i3), or neither or both. For these possibilities we again have that: x Prefixes (v3) x pvr x pvc, irrespective of whether x is or is not a member of pv12, whereas if x Prefixes (v3) then the relationships between pv12, pvr and pvc are similar to those in case (i) above, viz x pv12 x pvr x pvc. This situation can be represented in the truth table by replacing any zeros in the column for pvr (and pvc) by a value that will be denoted P(v3), representing the value of whether x is or is not a member of Prefixes (v3). 17

18 Similarly, x ProPrefixes (i3) x pir, irrespective of whether x is or is not a member of ProPrefixes (i12), and x ProPrefixes (i3) x ppc, irrespective of whether x is or is not a member of pi12, whereas if x ProPrefixes (i3) then the relationships between PP(i12), pir, pi12 and ppc are similar to those in case (i) above, viz x ProPrefixes (i12) x pir, and x pi12 x ppc. This situation too can be represented in the truth table in similar fashion, by replacing any zeros in the columns for pir and ppc by a value that will be denoted PP(i3), representing the value of whether x is or is not a member of ProPrefixes (i3). Again, a consequence of these is that there are some elements in the columns for ir and ic where the values that need to be entered are 1 P(v3) PP(i3) = 1 (P(v3) PP(i3)), which evaluates to 1 if x is not a member of either P(v3) or PP(i3), and to 0 otherwise. These elements will again be denoted NE. Thus, the structure of the table is very similar to that for case (ii) in the first half of the theorem, in that because x i3 x i1 i2 i3 x i1 i2 x im x im12 the column of the table for im is redundant, but a separate column needs to be introduced for pir, and so the required truth table is as follows. im12 pv12 pi12 PP(i12) i12 imr pvr pir ir ppc ic P(v3) PP(i3) 0 PP(i3) P(v3) PP(i3) 0 PP(i3) PP(i3) P(v3) PP(i3) NE PP(i3) NE P(v3) PP(i3) 0 PP(i3) PP(i3) Hence, for both cases we have that ir = ic, as shown by the corresponding columns in the two tables, from which it follows that <vr, ir> = <vc, ic> and so <vl, il> = <vc, ic> = <vr, ir> Sem ( s1 (s2 s3) ) = Sem ( (s1 s2) s3 ) Theorem 23. s1, s2, s3 : SeqConst Sem ( s1 ; (s2 ; s3) ) = Sem ( (s1 ; s2) ; s3 ) Let Sem ( s1 ), Sem ( s2 ) and Sem ( s3 ) be denoted by <v1, i1>, <v2, i2> and <v3, i3> respectively, where (from theorem 18): i1 Prefixes (v1) =, i2 Prefixes (v2) =, i3 Prefixes (v3) =, i1 ProPrefixes (i1) =, i2 ProPrefixes (i2) = and i3 ProPrefixes (i3) =. Then let Sem ( s1 ; s2 ) be denoted by <v12, i12>, Sem ( s2 ; s3 ) be denoted by <v23, i23>, Sem ( s1 ; (s2 ; s3) ) be denoted by <vl, il>, and Sem ( (s1 ; s2) ; s3 ) be denoted by <vr, ir>. As for theorem 22, the proof consists of constructing a common form, which will be denoted by <vc, ic>, and then showing that <vl, il> = <vc, ic> = <vr, ir>. For the first half of this we have that Sem ( s2 ; s3 ) = <v23, i23>, where v23 = v2 v3 and i23 = im23 pv23 pi23, and where im23 = i2 (v2 i3), pv23 = Prefixes (v23) and pi23 = ProPrefixes (im23) and Sem ( s1 ; (s2 ; s3) ) = <vl, il>, where vl = v1 v23 and il = iml pvl pil, and where 18